2 Freedombox setup -- cannot conect to XMPP server on Freedombox 1

Rudeboy · December 29, 2022, 10:31pm

I have 2 Freedombox servers. Both of them are the Pioneer Editions, running Debian 11 Bullseye FreedomBox version 22.27. My configuration is modem > router (Thinkpenguin, running libreCMC) > ethernet switcher > Freedomboxes.

Freedombox 1 was working well as an XMPP server, but Freedombox 2 was giving me problems trying to get a Let’s Encrypt certificate. It would also not allow me to connect to it via its domain name or freedombox.local, which I had been able to do before. After trying various things, I resorted to factory resetting the router. I connected Freedombox 2 while leaving Freedombox 1 unplugged, and was able to obtain a Let’s Encrypt certificate with no issues. When I reconnected Freedombox 1, I was no longer able to connect to my XMPP server. Gajim shows I am offline, and will not connect when I try to set my status as online.

For both Freedomboxes, I am able to:

Connect using the private IP addresses
Connect using domain names
Connect using .onion addresses
Obtain and re-obtain Let’s Encrypt certificates

I have done the following:

Checked for correct port forwarding
Rebooted server
Disabled and re-enabled individual applications
Ran Diagnostics

The result of the Diagnostics run on Freedombox 1 was everything passed on Coturn and ejabberd, but Certificates failed ‘Access to domain.fbx.one’. However, I am able to re-obtain the certificate and access the Freedombox with the domain name, so I don’t know what’s happening. Freedombox 2’s Diagnostics passed everything in the Certificates category.

Freedombox 1 and 2 are using different subdomain names, but are both fbx.one addresses, eg. domain1.fbx.one and domain2.fbx.one. What am I missing?

Thanks for making Freedombox possible.

Avron · December 30, 2022, 1:42pm

The basic NAT behaviour of a routeur is to redirect a port from a public IP address always to the same local IP. If you have two public IP addresses, you can redirect one to each Freedombox and it should work.

If you have a single public IP address (like most people, including me), domain1.fbx.one and domain2.fbx.one are translated to that same IP address and your routeur then redirects all traffic to ports 80 and 443 to any of these two host names to the same Freedombox and it is not surprising that you can get a Let’s Encrypt certificate only on one of them, the one the NAT rules of your routeur. Also, you can only connect to plinth on one of them.

If you want both Freedomboxes to get Let’s Encrypyt certificates and to access plinth with their respective host names that are resolved to the same public IP address, you need to run something on the machine that gets this to redirect http traffic based on destination hostname.

I don’t know whether libreCMC includes that kind of option, this would be nice.

Personally, I am running sniproxy exactly to do that (actually, I only have one freedombox but I have another machine running an http server, hence why I use this). I am not running it on my pioneer that runs freedombox but it is a machine running debian and sniproxy is a small programme so I suppose it would be possible to run it on one of your freedomboxes.

The configuration is in the /etc/sniproxy.conf, it needs something like (assuming sniproxy is running on domain1.fbx.one, and the local IP addresses of freedombox1/2 are 192.168.1.11/12):

# Username for the daemon
user sniproxy-daemon
# PID file
pidfile /var/run/sniproxy.pid

error_log {
    # Log to the daemon syslog facility
    syslog daemon

    # Alternatively we could log to file
    #filename /var/log/sniproxy/sniproxy.log

    # Control the verbosity of the log
    priority notice
}

access_log {
    filename /var/log/sniproxy/access.log
}
# blocks are delimited with {...}
listen 0.0.0.0:8888 {
    proto http
    table http_hosts
    # Fallback backend server to use if we can not parse the client request
    fallback 192.168.1.11:80

    access_log {
        filename /var/log/sniproxy/http_access.log
        priority notice
    }
}

listen 0.0.0.0:8889 {
    proto tls
    table https_hosts
    fallback 192.168.1.11:443

    access_log {
        filename /var/log/sniproxy/https_access.log
        priority notice
    }
}

# named tables are defined with the table directive
table http_hosts {
    domain1.fbx.one 192.168.1.11:80
    domain2.fbx.one 192.168.1.12:80
}
table https_hosts {
    domain1.fbx.one 192.168.1.11:443
    domain2.fbx.one 192.168.1.12:443
}

Then I made this as a service with a sniproxy.service like this:

[Unit]
Description=HTTPS SNI Proxy
After=network.target
Documentation=man:sniproxy(8) file:///usr/share/doc/sniproxy/

[Service]
EnvironmentFile=-/etc/default/sniproxy
Type=simple
ExecStart=/usr/sbin/sniproxy -f
Restart=always

[Install]
WantedBy=multi-user.target

I also have a libreCMC routeur from ThinkPenguin, so if you find out that libreCMC can run sniproxy I am interested to hear about it

EDIT: What I mentioned will work for http but you still can’t access ejabberd on both Freedomboxes with their respective names. For that, you would really need another public IP address. In France where I live there is a non-commercial ISP that provides a VPN service that comes with a fixed public IP and unfiltered access, so perfect for another freedombox.

Rudeboy · January 1, 2023, 10:20pm

Thank you for the reply!

I am interested in having both Freedomboxes run seperate XMPP servers, so as I understand from your edited post, I cannot use sniproxy for this purpose. I found out my ISP gives me 2 IP addresses. Within libreCMC, I can see an option to add a new network interface; would I need to configure something like this?
This is the setup I would like to have:

IP 1 resolves to domain 1 which connects to Freedombox 1
IP 2 resolves to domain 2 which connects to Freedombox 2

I would assume that it’s possible to do using one only router, but my networking knowledge is weak. How would I accomplish this in libreCMC?

Thank you

Avron · January 2, 2023, 3:01pm

Sorry but I have neither experience nor knowledge about having multiple IP addresses from the home ISP.

If your routeur is running libreCMC, openWRT documentation should be largely applicable to it. I found [OpenWrt Wiki] Using multiple public IPs on WAN interface on this topic, it probably has useful advice but it looks rather elliptic.

You may need some kind of configuration like this, with a “wan interface” (this does not mean a physical interface, see [OpenWrt Wiki] Clarifying the term "Interface") for each freedombox configured as listed but I am not sure how to determine the “gateway” address, perhaps you would need information from your ISP.

Rudeboy · January 3, 2023, 6:47pm

Thank you for the link. I was looking for the libreCMC documentation, but it’s mostly about building from source and installation. I forgot I could check OpenWRT’s instead. Maybe now I will be able to figure it out.

Thanks again!

BluishHumility · January 7, 2023, 12:19am

One way to accomplish this (multiple externally available servers sharing a single public IP) is to have a “primary” server (i.e. the one that is actually externally available) and proxy the other servers off of it. Essentially all traffic goes from your router to the primary server, and in /etc/apache2/sites-enabled/000-default.conf on that device you specify rules to redirect traffic for the second domain to the other device.

At this point in our home I have four separate websites on four separate devices (all sharing the same public IP), and the Freedombox proxies traffic to each device as it comes in–it is the only device exposed directly to the internet. The first time I figured out how to get this set up was here: [SOLVED] Apache Reverse Proxy Setup Virtual Host - #5 by BluishHumility